You are not logged in.
I am used to using iptables and rules that depend on user id (uid) in order restrict network access. The other day, I installed a daemon (stubby) and I was trying to configure my firewall accordingly. Unfortunately, it does not work as reliably as I expected.
At a very specific point, my /etc/iptables/iptables.rules reads something like
-A OUTPUT -p tcp -m tcp --dport 853 -d XXX.XXX.XXX.XXX -m owner --uid-owner stubby -j ACCEPTwhich sometimes results in this:
iptables-restore v1.8.5 (legacy): owner: Bad value for "--uid-owner" option: "stubby"If I understand http://0pointer.net/blog/dynamic-users- … stemd.html correctly, the issue is that the systemd unit file reads DynamicUser=yes so the user stubby does not exist until after stubby.service has been started. Thus, given my firewall rules, it is impossible to simply start or restart iptables.service without having stubby.service already running. This is not what I want, as I consider it a security issue.
I would like to keep the systemd unit files provided with stubby unchanged, if this is possible. I can think of two ways to solve this:
Way 1: Changing the way the unit is started such that DynamicUser=no (without touching the original unit files, preferably), and use a manually created system user called stubby. In other words, do it the old way. How should I do this in a way that there is minimal to no clash with systemd or other services (or system users) I might install in the future?
Way 2: Trying to update my firewall according to the state stubby is in. That is, insert that specific rule via iptables just before and whenever stubby is about to run for whatever reason. Also, remove the very same rule just after and whenever stubby stops running for whatever reason. What is the most reliable (and preferably kind-of-future-proof) way to do so?
I prefer a solution close to way 1 as it does not rely on additional action that needs to be triggered and executed correctly, so it is more static and, thus, simpler and probably more reliable. However, I am not used to creating system users myself, and I am no systemd expert, either. I also browsed the wiki und the forums, to no avail. Any helpful ideas or pointers?
P.S.: I know that iptables is a bit dated, but this is a different issue.
EDIT/P.P.S.: Whatever solution might work does not need to use iptables. Anything that helps to implement the overall idea is welcome. I am more concerned about getting it working at all, and (hopefully) reliability.
Last edited by itektur (2020-08-20 04:30:28)
Offline